Firms Regularly Leak Sensitive Data to the Cloud

The average worker shares nearly 40 files containing sensitive information with the public or co-workers, according to an analysis by Elastica.

The cloud allows for the convenient storage of information for on-the-go workers and gives them the ability to broadly share information with colleagues, but many people do not consider the security implications of putting sensitive data in the cloud, according to a recent study done by cloud-security firm Elastica.
The survey found that each worker stored an average of 2,037 documents in cloud storage services. The workers broadly shared an average of 185 documents with colleagues, their company or the public, and 20 percent of the documents contained sensitive or compliance-related data, according to the report.
Companies need to develop the ability to know what documents their employees are sharing because blocking cloud applications does not work for long, Rehan Jalil, president and CEO of Elastica, told eWEEK.
"You can't stop the sharing, but you need new methods to monitor it to make sure that you are not leaking data," he said. "It's a problem that they need to be aware of and that they need to educate employees on."

Cloud services have taken off over the past half decade, with Dropbox, Box.com and others attracting hundreds of millions of users. Many employees use their accounts without the knowledge of their companies' IT departments, a problem frequently referred to as "shadow IT." While using unapproved services can make employees more flexible and productive, it can lead to data leakages, Jalil argued.

The Elastica study is not the first to pinpoint the leakage of sensitive data to the cloud.
Only half of companies know how their cloud provider secures their data, and only a bit more than a third had done due diligence to find out, according to an April report from the Ponemon Institute. Companies' visibility into other aspects of their cloud-service providers' operations has also been identified as a problem.
The Elastica study found that most IT departments did not know how many cloud services were used by employees, how many files employees shared with others and how many of those documents contained sensitive data.
Roughly 2 percent of the more than 100 million documents scanned by the company contained sensitive information, according to the report. The majority of those files—about 56 percent—included personally identifiable data, such as Social Security numbers, while 29 percent contained sensitive health care information and 15 percent contained payment card information, the study found.
The trade-off between productivity and security means that companies cannot just block cloud applications or the ability of employees to store their data in the cloud. Instead, companies need to have automated systems to detect when data is being moved to the cloud and react by applying the appropriate corporate policy, Jalil said.
"It is not a one-time clean up," he said. "Every minute there are files being shared, things are going out and coming in, so it has to be automated."